chapter 8 ip security msc. nguyen cao dat dr. tran van hoai
TRANSCRIPT
![Page 1: Chapter 8 IP Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfc91a28abf838ca931e/html5/thumbnails/1.jpg)
Chapter 8
IP Security
MSc. NGUYEN CAO DATDr. TRAN VAN HOAI
![Page 2: Chapter 8 IP Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfc91a28abf838ca931e/html5/thumbnails/2.jpg)
BKTP.HCM
IP Security
have a range of application specific security mechanisms▫eg. S/MIME, PGP, Kerberos, SSL/HTTPS
however there are security concerns that cut across protocol layers
would like security implemented by the network for all applications
![Page 3: Chapter 8 IP Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfc91a28abf838ca931e/html5/thumbnails/3.jpg)
BKTP.HCM
IPSec
general IP Security mechanismsprovides▫authentication▫confidentiality▫key management
applicable to use over LANs, across public & private WANs, & for the Internet
![Page 4: Chapter 8 IP Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfc91a28abf838ca931e/html5/thumbnails/4.jpg)
BKTP.HCM
IPSec Uses
![Page 5: Chapter 8 IP Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfc91a28abf838ca931e/html5/thumbnails/5.jpg)
BKTP.HCM
Benefits of IPSecin a firewall/router provides strong security to all
traffic crossing the perimeterin a firewall/router is resistant to bypassis below transport layer, hence transparent to
applicationscan be transparent to end userscan provide security for individual userssecures routing architecture
![Page 6: Chapter 8 IP Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfc91a28abf838ca931e/html5/thumbnails/6.jpg)
BKTP.HCM
IP Security Architecture
specification is quite complexdefined in numerous RFC’s▫incl. RFC 2401/2402/2406/2408▫many others, grouped by category
mandatory in IPv6, optional in IPv4have two security header extensions:▫Authentication Header (AH)▫Encapsulating Security Payload (ESP)
![Page 7: Chapter 8 IP Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfc91a28abf838ca931e/html5/thumbnails/7.jpg)
BKTP.HCM
IPSec ServicesAccess controlConnectionless integrityData origin authenticationRejection of replayed packets▫a form of partial sequence integrity
Confidentiality (encryption)Limited traffic flow confidentiality
![Page 8: Chapter 8 IP Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfc91a28abf838ca931e/html5/thumbnails/8.jpg)
BKTP.HCM
Security Associationsa one-way relationship between sender & receiver
that affords security for traffic flowdefined by 3 parameters:▫Security Parameters Index (SPI)▫IP Destination Address▫Security Protocol Identifier
has a number of other parameters▫seq no, AH & EH info, lifetime etc
have a database of Security Associations
![Page 9: Chapter 8 IP Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfc91a28abf838ca931e/html5/thumbnails/9.jpg)
BKTP.HCM
Authentication Header (AH)
provides support for data integrity & authentication of IP packets▫end system/router can authenticate user/app▫prevents address spoofing attacks by tracking sequence
numbersbased on use of a MAC▫HMAC-MD5-96 or HMAC-SHA-1-96
parties must share a secret key
![Page 10: Chapter 8 IP Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfc91a28abf838ca931e/html5/thumbnails/10.jpg)
BKTP.HCM
Authentication Header
![Page 11: Chapter 8 IP Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfc91a28abf838ca931e/html5/thumbnails/11.jpg)
BKTP.HCM
Transport & Tunnel Modes
![Page 12: Chapter 8 IP Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfc91a28abf838ca931e/html5/thumbnails/12.jpg)
BKTP.HCM
Encapsulating Security Payload (ESP)provides message content confidentiality & limited
traffic flow confidentialitycan optionally provide the same authentication
services as AHsupports range of ciphers, modes, padding▫ incl. DES, Triple-DES, RC5, IDEA, CAST etc▫CBC & other modes▫padding needed to fill blocksize, fields, for traffic flow
![Page 13: Chapter 8 IP Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfc91a28abf838ca931e/html5/thumbnails/13.jpg)
BKTP.HCM
Encapsulating Security Payload
![Page 14: Chapter 8 IP Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfc91a28abf838ca931e/html5/thumbnails/14.jpg)
BKTP.HCM
Transport vs Tunnel Mode ESP
transport mode is used to encrypt & optionally authenticate IP data▫data protected but header left in clear▫can do traffic analysis but is efficient▫good for ESP host to host traffic
tunnel mode encrypts entire IP packet▫add new header for next hop▫good for VPNs, gateway to gateway security
![Page 15: Chapter 8 IP Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfc91a28abf838ca931e/html5/thumbnails/15.jpg)
BKTP.HCM
Combining Security AssociationsSA’s can implement either AH or ESPto implement both need to combine SA’s▫form a security association bundle▫may terminate at different or same endpoints▫combined by
transport adjacency iterated tunneling
issue of authentication & encryption order
![Page 16: Chapter 8 IP Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfc91a28abf838ca931e/html5/thumbnails/16.jpg)
BKTP.HCM
Combining Security Associations
![Page 17: Chapter 8 IP Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfc91a28abf838ca931e/html5/thumbnails/17.jpg)
BKTP.HCM
Key Managementhandles key generation & distributiontypically need 2 pairs of keys▫2 per direction for AH & ESP
manual key management▫sysadmin manually configures every system
automated key management▫automated system for on demand creation of keys for
SA’s in large systems▫has Oakley & ISAKMP elements
![Page 18: Chapter 8 IP Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfc91a28abf838ca931e/html5/thumbnails/18.jpg)
BKTP.HCM
Oakley
a key exchange protocolbased on Diffie-Hellman key exchangeadds features to address weaknesses▫cookies, groups (global params), nonces, DH key
exchange with authenticationcan use arithmetic in prime fields or elliptic curve
fields
![Page 19: Chapter 8 IP Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfc91a28abf838ca931e/html5/thumbnails/19.jpg)
BKTP.HCM
ISAKMP
Internet Security Association and Key Management Protocol
provides framework for key managementdefines procedures and packet formats to establish,
negotiate, modify, & delete SAsindependent of key exchange protocol, encryption
alg, & authentication method
![Page 20: Chapter 8 IP Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI](https://reader036.vdocuments.us/reader036/viewer/2022062519/5697bfc91a28abf838ca931e/html5/thumbnails/20.jpg)
BKTP.HCM
Summary
have considered:▫IPSec security framework▫AH▫ESP▫key management & Oakley/ISAKMP